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(57) Abstract: Currently data transmission over 
the Internet between two client computers where 
both client computers are protected by firewalls is 
problematic, since firewalls block incoming packets. 
A method is provided for permitting packet based 
data transmission between a first client computer 
CI protected by a first NAPT or NAT firewall and 
a second client computer C2 protected by a second 
NAPT or NAT firewall to traverse the first and the 
second firewalls. The method can also be applied to 
other devices, such as routers, using NAT or NAPT. 
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METHOD AND APPARATUS TO PERMIT DATA TRANSMISSION TO TRAVERSE FIREWALLS 

Related application 

This application claims priority from previously filed United States 
provisional patent application serial number 60/269,357, filed February 20, 2001, 
entitled METHOD AND APPARATUS TO PERMIT REAL-TIME MEDIA 
DELIVERY TO TRAVERSE FIREWALLS ON A COMPUTER NETWORK. 

Technical Field 

The invention relates to the field of data transmission over a computer 
network, and more particularly to methods for permitting data transmissions using 
packet based transmission protocols to traverse firewalls. 

Background Art 

Computers connected to wide area networks like the Internet are 
commonly protected by firewalls. Firewalls are most commonly used to protect 
computers operating on local area networks, but they can also be used to protect 
individual computers, including servers, which access a wide area network. In 
this application, the term "client computer'* will encompass any computer with 
access to a wide area network, and also a program operating on such a computer. 
Such a computer may, but need not, operate on a local area network, and may 
perform the functions of a server on the wide area network. 

Firewalls typically perform a number of functions. They protect internal 
computers from outside computers on the wide area network, while allowing 
internal computers to access the wide area network. Firewalls can also make local 
network administration more efficient, by permitting a large number of client 
computers to share a limited pool of Internet Protocol (IP) addresses on the wide 
area network, and by accommodating changes within the local network without 
having to re-configure access to the other computers on the wide area network. 
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A firewall is typically a program or collection of related programs on a 
network gateway server which check each network packet to determine whether 
to forward it to its destination. To create a barrier between an internal computer 
and the outside wide area network, firewalls commonly use NAT (network 
5 address translation) or NAPT (network address and port translation). NAT is the 
translation of an internal IP address used by a client computer (and known within 
the internal network, if the client computer is operating on one), to a different IP 
address known within the outside wide area network. The firewall maps internal 
IP addresses to one or more global external IP addresses, and reverse maps the 

10 external IP addresses on incoming packets back into internal IP addresses. NAPT 
is the translation of both internal IP addresses and internal ports to different 
external IP addresses and external ports known within the outside network. 
Firewalls using NAPT commonly screen incoming packets to make sure that they 
come from a previously identified IP address and port. That is, a request from a 

15 particular IP address and port traverses the firewall only if a request previously 
went out from the firewall to that IP address and port. 

Data transmission over the Internet has become an everyday occurrence. 
Many Internet data transmissions are used to transport audio and / or video data 

20 from a live or on-demand streaming server to streaming clients, to provide real- 
time interactive communication (such as "chat") between client computers, to 
transport the contents of web-pages from web-servers to web-clients, and for 
many other types of communication among networked programs. Different 
protocols are used to transmit different types of data. For example, text chat is 

25 generally transmitted using Transmission Control Protocol (TCP), while audio / 
video conferencing and live audio / video streaming are generally transmitted 
using UDP (User Datagram Protocol). Communications through a server 
connected directly to the Internet (that is, not behind a firewall) are not generally 
obstructed by client-side firewalls; the act of logging on to a server generally 

30 opens a return path from the server through the firewall. However, firewalls 
commonly block direct client-to-client, or "peer-to-peer" communication. One 
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attempted solution is to open certain ports in the firewall, but this solution (i) 
requires modification of the firewall settings, which most network administrators 
are reluctant to do, and (ii) does not work with firewalls that perform any sort of 
port translation. The present invention provides a method for permitting packet 
5 based data transmission to traverse firewalls using either NAPT or NAT without 
altering firewall settings. The invention is disclosed in the context of a firewall 
using NAPT, as the more general case. However, the method provided in the 
invention is equally applicable to a firewall using NAT, and also to other types of 
devices, such as routers, using either NAPT or NAT 

10 

Disclosure of Invention 

The invention therefore provides a method of transmitting a data packet 
from a first computer to a second computer over a wide area computer network, a 

15 data packet transmitted from the first computer having a first source address 
designating the first computer and a data packet transmitted from the second 
computer having a second source address designating the second computer, 
wherein the first computer is protected by a first firewall which translates the first 
source address to a first external address when transmitting a data packet from the 

20 first computer to the wide area network, and the second computer is protected by 
a second firewall which translates the second source address to a second external 
address when transmitting a data packet from the second computer to the wide 
area network, the first and second firewalls communicating over the wide area 
computer network, the method using a designated recipient computer in 

25 communication with the first and second computers via the wide area computer 
network, said method comprising: a) the first and second computers sending first 
and second data packets to the designated recipient computer; b) the designated 
recipient computer communicating the first external address from the first data 
packet to the second computer and communicating the second external address 

30 from the second data packet to said first computer; c) the second computer 


WO 02/067531 


PCT/CA02/00214 


-4- 

sending a data packet to the first external address; and d) the first computer 
sending a data packet to said second external address. 

The method further provides for two-way transmission of data by 
5 additionally having the second computer then send a data packet to the first 

external address. The method can be applied to a plurality of computers protected 
by firewalls communicating over a wide area network. The firewalls may be 
NAT or NAPT. In particular the method works if the IP address and port are 
translated at the firewall, or only the IP address. The designated recipient 
10 computer can be any type of computer, including without limitation a designated 
server, a peer computer involved in the data transmission, or a peer computer not 
involved in the data transmission. 

The present invention further provides a computer program product for 
15 carrying out the foregoing method, and a system for transmitting a data packet 
between two firewall-protected computers over a wide area network, 

Brief Description of Drawings 

20 Figure 1 is a schematic diagram illustrating a preferred embodiment of the 

invention; and 

Figure 2 is a flowchart illustrating a preferred embodiment of the 
invention. 

25 Best Mode(s) for Carrying Out the Invention 

Fig. 1 schematically illustrates a client computer CI (12) on local area 
network (14), protected by NAPT firewall FW1 (16), wishing to send a UDP data 
stream, such as a live video data stream, over Internet 10, to client computer C2 
30 (20) on local area network (22), protected by NAPT firewall FW2 (24). Within 
this schematic, CI has internal IP address HI, and will use internal port hi to 


WO 02/067531 


PCT/CA02/00214 


-5- 

transmit the UDP data stream. Firewall FW1 translates these into external IP 
address Fl and external port fl (18). C2 has internal IP address H2, and will use 
internal port h2 to receive the UDP data stream. Firewall FW2 will receive UDP 
packets destined for C2 at external IP address F2 and external port f2 (26). Both 
5 CI and C2 log onto a server SI (28), whose purpose is to establish a path to 
transmit the UDP data stream from CI to C2. However, the UDP data stream is 
not transmitted through the server. It is sent client-to-client to take advantage of 
efficiencies and scalability that can be realized from peer-to-peer communication 
over the Internet. 

10 

Peer-to-peer communications are prevented by almost all firewalls. NAPT 
firewalls FW1 and FW2 will only permit an incoming UDP packet to pass if (i) its 
source and destination addresses match the destination and source addresses, 
respectively, of a recent outgoing UDP packet, and (ii) its source and destination 
15 ports match the destination and source ports, respectively, of a recent outgoing 
UDP packet. If either CI or C2 attempts to send a packet to the other, the 
receiver's firewall will block the incoming packet if it does not meet these criteria. 

The present invention permits CI to send a UDP data stream to C2 by the 
20 following steps: 

(1) CI sends a UDP packet Ul to server SI. CI initiates the transmission 
from its internal IP address and UDP port (HI :hl). Firewall FW1 translates the BP 
address and port to Fl :fl at the external interface of FW1. 

25 

(2) When S 1 receives packet Ul from Fl ;fl , S 1 can identify Fl and fl as the 
external IP address and external port from which FW1 will send the UDP data 
stream originating with CI. 
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(3) C2 sends a UDP packet U2 to server SI . C2 initiates the transmission 
from its internal IP address and UDP port (H2:h2). Firewall FW2 translates the IP 
address and port to F2:f2 at the external interface of FW2. 

5 (4) When SI receives packet U2 from F2:f2, SI can identify F2 and £2 as the 
external IP address and external port at which FW2 will receive the UDP data 
stream to be transmitted from CI to C2. 

(5) SI tells C2 that Fl :fl are the external IP address and port from which CI 
10 will send the UDP data stream. 

(6) SI tells CI that F2:f2 are the external IP address and port to which the 
UDP data stream destined for C2 should be sent, 

1 5 (7) C2 sends a UDP packet U3 to Fl :fl , using its internal port h2. Firewall 
FW2 will send the packet from F2:f2. This packet will be blocked by firewall 
FW1 . However, as described in step (8), it will prompt firewall FW2 to pass 
subsequent packets sent by CI destined for C2. 

20 (8) When CI subsequently sends a data stream consisting of UDP packets 
destined for C2 from its internal port hi, firewall FW1 will send them from Fl :fl 
to F2:f2. Because of the packet sent in step (7), firewall FW2 recognizes Fl :fl as 
an address and port to which it has recently sent a packet from F2:f2. 
Accordingly, it permits packets sent from Fl :fl to F2:f2 to pass through the 

25 firewall, and forwards them to H2:h2, the internal IP address and port for C2. 

In this way, the invention creates a means by which UDP data streams 
originating with CI pass through to C2. This can be used for streaming 
applications, in which CI sends a live or on-demand data stream to C2. Steps 
30 similar to (1) to (8), carried out vice versa, will permit UDP data streams 

originating with C2 to pass through firewall Fl, to CI. Thus, CI and C2 can 
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utilize applications which depend on two-way transmission of UDP data streams, 
such as video conferencing. Similar steps carried out by a number of client 
computers, CI ,. . .,CN, will permit one-to-many, many-to-one, or many-to-many 
transmission of UDP data streams through NAPT firewalls. 
5 

For the method to work with a firewall using NAPT, the packets sent in 
steps (1) and (3) will generally have to be of the same type (i.e. TCP, UDP, etc.) 
as the type used to transmit the data in step (8). The reason is that many computer 
applications or firewalls use different ports to transmit and receive different types 
10 of data. However, if that is not the case, the packets sent in steps (1) and (3) need 
not be of the same type as the type used in step (8). In addition, firewall FW1 
must use the same external IP address and port to send the initial packet in step 
(1) as it uses subsequently to commence sending the data to C2 in step (8) 
(although the method can be adapted to accommodate subsequent changes in the 
15 IP addresses and ports, as described more fully below). This generally happens in 
practice so long as the software at client computer CI is written to send both 
transmissions from the same internal BP address and port, as most firewall 
programs using NAPT currently create one-to-one mappings between internal IP 
addresses and ports and external IP addresses and ports used to send the same type 
20 of packet. Similarly, firewall FW2 must use the same external IP address and port 
to send the packet in step (3) that it will use to commence receiving the data in 
step (8). This also will generally happen in practice, so long as the software at 
client computer C2 is written to send the packet in step (3) from, and to receive 
the data in step (8) at, the same internal IP address and port. 

As will be apparent to those skilled in the art, the method can be readily 
adapted to support two-way data transmission between CI and C2, to support one- 
to-many data transmission from CI to client computers C2,. . ,,CN, to support 
many-to-one data transmission from client computers C2,. . .,CN to CI, or to 
support many-to-many data transmission among client computers CI ,. . .,CN. As 
well, the invention has been described with both CI and C2 protected by 
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firewalls, as that situation provides the clearest description of the invention. 
However, the method is readily adapted to the situation where only the receiving 
client computer is protected by a firewall. 

5 The designated recipient computer can be any type of computer, including 

without limitation a designated server, a peer computer involved in the data 
transmission, or a peer computer not involved in the data transmission. 

As will be apparent to those skilled in the art in light of the foregoing 
10 disclosure, many alterations and modifications are possible in the practice of this 
invention without departing from the spirit or scope thereof. For example, the 
possible alterations and modifications include, but are not limited to, the 
following: 

15 1 . For robustness against packet loss or delay, CI and /or C2 could send 
multiple packets to SI in steps (1) and (3), instead of a single packet. Packets 
could be sent until confirmation is received that SI has received one of the 
packets. 

20 2. Also for robustness against packet loss or delay, C2 could send multiple 
packets in step (7), instead of a single packet. Packets could be sent until 
confirmation is received that FW1 has received one of the packets. 

3. The method can also be used when either CI or C2 uses separate ports for 
25 sending and receiving UDP data streams. For example, if CI uses hi for sending 
UDP data streams and h3 for receiving data streams, firewall FW1 will translate 
these into fl and f3 respectively. C2 would have to send a UDP packet from its 
receiving port to fl, and CI would have to send a UDP packet from f3 to the 
sending port for C2. These packets would open paths over which CI could send 
30 to C2 (through fl), and over which C2 could send to CI (through £3). 
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4. In the case of two-way communication, and where firewalls FW1 and 
FW2 use the same external ports for both sending and receiving UDP data, the 
initial data packets in the data streams can be used as the packets required to open 
the paths (as in step (7)). The initial data packets may be blocked, until a data 
5 packet is sent in the other direction. However, applications using UDP 

transmissions are typically robust against packet loss, and the method will work 
so long as loss of the initial data packet or packets is not critical to the application 
in question. 

10 5. If firewall FW1 (or FW2) changes the external IP address or port which it 
uses to transmit UDP data for any reason (such as a long data transmission or 
period of silence), the method can be adapted to refresh the data identifying the 
external EP addresses and ports, to maintain open transmission paths. For 
example, if FW1 changes the external IP address or port used to transmit UDP 

15 data originating from CI , new packets will be sent periodically to the 

intermediary server SI as in step (1), above, to identify any new IP address or port 
being used by FW1 . The remaining steps (2) through (8) can then be repeated 
using new data. All that the method requires is that the same external sending IP 
address and port be used by FW1 for a long enough period of time that the initial 

20 packet sent to SI in step (1) come from the same IP address and port as the initial 
data packets in the UDP data stream. 

6. In the best mode described above, server S 1 is used as intermediary to 
receive UDP packets originating from CI and C2, and to use information 

25 contained in those packets to identify the external ports being used by FW1 and 
FW2. However, any other means for informing each terminal of the other's 
external ports will also work according to the invention. For example, CI and C2 
could use different echo servers, SI and S2, which return any UDP packet to its 
source. This will permit CI and C2 to identify Fl:fl and F2:f2, respectively. CI 

30 and C2 could use any other means, such as off-line exchange of information by 
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the users, or TCP transmissions either directly to the other or through a common 
server, to inform each other about Fl :fl and F2:f2. 

7. The method can be used where client computers communicate through a 
5 server computer, although the method is not usually needed in that case, as a 

client computer generally opens a return path from the server when it logs on to 
the server. 

8. The method can also be used where only the receiving client computer is behind 
10 a firewall, but there is no firewall protecting the sending client computer. 

9. Although the above method has been described in the context of real-time 
audio and video communications using UDP packets, it will be apparent to those 
skilled in the art that the method has application to other forms of packet based 
data transmission. 

10. The method can also be adapted to firewalls which do not create one-to- 
one mappings between internal and external IP addresses and ports, by deducing 
the mapping scheme from received packets, and then utilizing the deduced 
mapping schemes to send the required packets from the external receiving IP 
addresses and ports of each client computer to the external sending IP addresses 
and ports of each other client computer. 

1 1 . While the invention has been disclosed in connection with a NAPT 
firewall, it would also operate in the same manner if firewalls FW1 and FW2 are 
NAT firewalls. In that case, NAT FW1 would translate HI :hl to Fl :hl, and NAT 
FW2 would translate H2:h2 to F2:h2. The method would otherwise be identical. 
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WHAT IS CLAIMED IS: 


1. 


A method of transmitting a data packet from a first computer to a 


second computer over a wide area computer network, a data packet transmitted 
5 from said first computer having a first source address designating said first 
computer and a data packet transmitted from said second computer having a 
second source address designating said second computer, wherein said first 
computer is protected by a first firewall which translates said first source address 
to a first external address when transmitting a data packet from said first computer 

10 to said wide area network, and said second computer is protected by a second 
firewall which translates said second source address to a second external address 
when transmitting a data packet from said second computer to said wide area 
network, said first and second firewalls communicating over said wide area 
computer network, said method using a designated recipient computer in 

15 communication with said first and second computers via said wide area computer 
network, said method comprising: 

a) said first and second computers sending first and second data 
packets to said designated recipient computer; 
20 b) said designated recipient computer communicating said first 

external address from said first data packet to said second computer and 
communicating said second external address from said second data packet to said 
first computer; 


25 address; and 

d) said first computer sending a data packet to said second external 
address. 


30 between a first computer and a second computer over a wide area computer 

network, a data packet transmitted from said first computer having a first source 


c) 


said second computer sending a data packet to said first external 


2. 


A method for permitting two-way transmission of data packets 
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address designating said first computer and a data packet transmitted from said 
second computer having a second source address designating said second 
computer, wherein said first computer is protected by a first firewall which 
translates said first source address to a first external address when transmitting a 
5 data packet from said first computer to said wide area network, and said second 
computer is protected by a second firewall which translates said second source 
address to a second external address when transmitting a data packet from said 
second computer to said wide area network, said first and second firewalls 
communicating over said wide area computer network, said method using a 
10 designated recipient computer in communication with said first and second 
computers via said wide area computer network, said method comprising: 

a) said first and second computers sending first and second data 
packets to said designated recipient computer; 
15 b) said designated recipient computer communicating said first 

external address from said first data packet to said second computer and 
communicating said second external address from said second data packet to said 
first computer; 

c) said second computer sending a first data packet to said first 
20 external address; 

d) said first computer sending a data packet to said second external 
address; and 

e) said second computer sending a second data packet to said first 
external address. 

25 

3. A method for permitting two-way transmission of data packets 
between any two of a plurality of computers over a wide area computer network, a 
data packet transmitted from each computer having a source address designating 
said computer, wherein each computer is protected by a firewall which translates 
30 said source address of said computer to an external address when transmitting a 
data packet from said computer to said wide area network, said firewalls 
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communicating over said wide area computer network, said method using a 
designated recipient computer in communication with said plurality of computers 
via said wide area computer network, said method comprising: 

5 a) said plurality of computers sending respective data packets to said 

designated recipient computer; 

b) said designated recipient computer communicating the respective 
external addresses from said data packets to said plurality of computers; 

c) a first of said plurality of computers having a first external address 
10 sending a first data packet to a second external address associated with a second 

of said plurality of computers; 

d) said second computer sending a data packet to said first external 
address; and 

e) said first computer sending a second data packet to said second 
15 external address. 

4. The method of Claims 1 or 2 wherein a data packet transmitted 
from said first computer further has a first port designating said first computer and 
a data packet transmitted from said second computer has a second port 

20 designating said second computer, and said first firewall further translates said 
first port to a first external port when transmitting a data packet from said first 
computer to said wide area network, and said second computer is protected by a 
second firewall which further translates said second port to a second external port 
when transmitting a data packet from said second computer to said wide area 

25 network. 

5. The method of Claims 1 to 4 wherein said firewalls are NAPT 
firewalls. 

30 6. The method of Claims 1 to 3 wherein said firewalls are NAT 

firewalls. 
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7. The method of Claims 1 to 3 wherein said data packets consist of 
UDP data streams. 

8. The method of Claims 1 to 3 wherein said data packets consist of 
5 live audio / video data streams. 

9. The method of Claims 1 to 3 wherein said data packets consist of 
stored audio / video data. 

10 10. The method of Claims 1 to 3 wherein said data packets consist of 

the contents of a stored computer file. 

1 1 . The method of Claims 1 to 3 wherein said data packets consist of 
data streams carrying audio / video conferencing communication. 

15 

12. The method of Claims 1 to 3 wherein multiple data packets are sent 
by said first and second computers in step (a). 

13. The method of Claims 1 to 3 wherein multiple data packets are sent 
20 in step c). 

1 4. The method of Claims 1 to 3 wherein multiple data packets are sent 

step d). 

25 15. The method of Claims 2 or 3 wherein multiple data packets are 

sent in step e). 

1 6. The method of Claims 1 or 2 wherein said first and second 
computers use different internal ports for sending and receiving said data packets, 
30 which internal ports get mapped to different external ports for sending and 

receiving said data packets, and the packets in step (c) of Claim 1, and in steps (c) 
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and (d) of Claim 2, are sent from the receiving port of each firewall to the sending 
port of the other firewall. 

17. The method of Claims 1 to 3 wherein the steps therein are repeated 
5 periodically to accommodate changes in the external ports being used by some or 

all of the firewalls.P 

1 8. The method of Claims 1 to 4 wherein said designated recipient 
computer is a common server. 

10 

19. The method of Claims 1 to 4 wherein said designated recipient 
computer is a peer computer involved in the data transmission. 

20. The method of Claims 1 to 4 wherein said designated recipient 
1 5 computer is a peer computer not involved in the data transmission. 

21. The method of Claims 1 to 3 wherein said designated recipient 
computer is an echo server, and said echo server communicates said addresses to 
said first and second computer by returning each packet to said first or second 

20 computer which was its source, and said first or second computer communicating 
said address to the other computer. 

22. The method of Claims 1 to 3 wherein said first and second 
computers transmit data through a server computer. 

25 

23. A computer program product for transmitting a data packet from a 
first computer to a second computer over a wide area computer network, a data 
packet transmitted from said first computer having a first source address 
designating said first computer and a data packet transmitted from said second 

30 computer having a second source address designating said second computer, 
wherein said first computer is protected by a first firewall which translates said 
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10 


first source address to a first external address when transmitting a data packet 
from said first computer to said wide area network, and said second computer is 
protected by a second firewall which translates said second source address to a 
second external address when transmitting a data packet from said second 
computer to said wide area network, said first and second firewalls 
communicating over said wide area computer network, said method using a 
designated recipient computer in communication with said first and second 
computers via said wide area computer network, said computer program product 
comprising 


a) a computer usable medium having computer read-able program 
code means embodied in the medium for causing said first and second computers 
to send first and second data packets to said designated recipient computer; 

b) the computer usable medium having computer readable program 
15 code means embodied in the medium for causing said designated recipient 

computer to communicate said first external address from said first data packet to 
said second computer and communicating said second external address from said 
second data packet to said first computer; 

c) the computer usable medium having computer readable program 
20 code means embodied in the medium for causing said second computer to send a 

data packet to said first external address; and 

d) the computer usable medium having computer readable program 
code means embodied in the medium for causing said first computer to send a 
data packet to said second external address. 

25 

24. A computer program product for permitting two-way transmission 
of data packets between a first computer and a second computer over a wide area 
computer network, a data packet transmitted from said first computer having a 
first source address designating said first computer and a data packet transmitted 
30 from said second computer having a second source address designating said 

second computer, wherein said first computer is protected by a first firewall which 
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translates said first source address to a first external address when transmitting a 
data packet from said first computer to said wide area network, and said second 
computer is protected by a second firewall which translates said second source 
address to a second external address when transmitting a data packet from said 
5 second computer to said wide area network, said first and second firewalls 
communicating over said wide area computer network, said method using a 
designated recipient computer in communication with said first and second 
computers via said wide area computer network, said method comprising: 

10 a) a computer usable medium having computer read-able program 

code means embodied in the medium for causing said first and second computers 
to send first and second data packets to said designated recipient computer; 

b) the computer usable medium having computer readable program 
code means embodied in the medium for causing said designated recipient 

15 computer to communicate said first external address from said first data packet to 
said second computer and communicating said second external address from said 
second data packet to said first computer; 

c) the computer usable medium having computer readable program 
code means embodied in the medium for causing said second computer to send a 

20 data packet to said first external address; 

d) the computer usable medium having computer readable program 
code means embodied in the medium for causing said first computer to send a 
data packet to said second external address; and 

e) the computer usable medium having computer readable program 
25 code means embodied in the medium for causing said first computer to send a 

data packet to said second external address. 

25. The computer program product of Claims 23 or 24 wherein said 
real-time media delivery involves live audio / video data. 

30 
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26. The computer program product of Claims 23 or 24 wherein the 
said real-time media delivery involves stored on-demand streamed audio / video 
data. 

5 27. The computer program product of Claims 23 or 24 wherein the 

said real-time media delivery involves the contents of a stored computer file. 

28. The computer program product of Claims 23 or 24 wherein the 
said real-time media delivery involves audio / video conferencing communication. 

10 

29. The computer program product of Claims 23 or 24 wherein the 
program causes the computer on which the computer program is Operating to send 
a UDP data packet to an intermediary for the purpose of identifying the external 
sending port which will be assigned to it, and receives data from the intermediary 

15 to identify the external receiving port assigned to the other participant. 

30. A system for transmitting a data packet between two firewall- 
protected computers over a wide area network, said system comprising: 

20 a) first and second computers adapted to communicate over a wide 

area computer network, wherein a data packet transmitted from said first 
computer has a first source address designating said first computer and a data * 
packet transmitted from said second computer has a second source address 
designating said second computer, wherein said first computer is protected by a 

25 first firewall which translates said first source address to a first external address 
when transmitting a data packet from said first computer to said wide area 
network, and said second computer is protected by a second firewall which 
translates said second source address to a second external address when 
transmitting a data packet from said second computer to said wide area network, 

30 said first and second firewalls communicating over said wide area computer 
network, 
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b) a designated recipient computer in communication with said first 
and second computers via said wide area computer network; 

wherein said first and second computers comprise means for 
sending first and second data packets to said designated recipient 
5 computer; said designated recipient computer comprises means for 

communicating said first external address from said first data 
packet to said second computer and communicating said second 
external address from said second data packet to said first 
computer; said second computer comprises means sending a data 
10 packet to said first external address; and said first computer 

comprising means for sending a data packet to said second external 
address. 
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FIG. 1 
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C1 sends a UDP packet U1 to 
server S1 from its internal IP 
address and UDP port (H1 :h1). 



Firewall FW1 translates the IP 
address and port to F1 :f 1 


r 

C2 sends a UDP packet U2 to 
server S1 from its internal IP 
address and UDP port (H2:h2). 


r 

Firewall FW2 tr 
address and 

•anslates the IP 
port to F2:f2 


FIG. 2 


J 

S1 tells C2 that F1 :f 1 are the external IP address 
and port from which C1 will send the UDP data 
stream and S1 tells C1 that F2:f2 are the external 
IP address and port to which the UDP data stream 
destined for C2 should be sent 


I 

C2 sends a UDP packet U3 to F1 :f 1 , using 
its internal port h2 and Firewall FW2 sends 
the packet from F2:f2. 

i • 

C1 sends a UDP packet destined for C2 
from its internal port hi and firewall FW1 
sends it from F1 :f 1 to F2:f2. 


i 

Firewall FW2 recognizes F1:f1 as an address and 
port to which it has recently sent a packet from F2:f2 
and it permits packets sent from F1:f1 to F2:f2 to 
pass through the firewall, and forwards them to 
H2:h2, the internal IP address and port for C2. 
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